09/646I6/r 

CT/FRT I 4 SEP 2000. 

Descriji^ion 

AuthenticcitJ.on of key devices 

5 The iVrention relates to a method as claimed in 

the precharact^izing clause of patent claim 1. 

Such a method is described in principle in the 
book by W. Fumy and H.P. RieB: Kryptographie, Entwurf 
und Analyse symmetrischer Kryptosysteme [Cryptography, ^^i, .,. . 
10 Design and Analysis of Symmetrical Cryptosystems] R. 
Oldenbourg Verlag, Munich Vienna, 1988, ISBN 3-486- 
20868-3. 

When voice or^^^--iit--gejae£ai« data are transmitted 
in encrypted form^ both communication partners must 

15 have a joint secret, the keyword. This keyword is 
unknown to a potential eavesdropper or enemy. One 
option for this is an asymmetric encryption method/ in 
which random numbers are interchanged between the 
communication partners^ and are used to form joint 

20 keywords. 

With this method, it is impossible to determine 
whether the encrypted link is being set up with the 
desired communication partneir^ or with an enemy. 

Cryptographic methods may be used not only for 

25 secrecy, but also for authentication of messages. The 
encryption of a message using a keyword also, in 
principle, includes its authenticity, since an enemy 
cannot produce the clear text of the message without 
knowledge of the keyword. 

30 In an asymmetric cryptosystem, the keyword used 

for encryption of a message is different to that used 
for decryption. Such a system, with a public and a 
private key, is also referred to as a public key 
system. The best known example of the 
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public key system is the so-called RSA method, whose ij 
principles are likewise described m the tarfee-ra-ti^e- 
reference - ntb i i r Lioutid - iiiiLTb ajriry , ^ 

At first glance, the system of key distribution 
5 is largely solved when using asymmetric cryptosystems^ 
since the public keys can be interchanged without any 
problems via insecure data channels. However, this is 
true only provided that eavesdropping is regarded as 
the only risk to a communications link. However, in 

10 most cases, it is also necessary to take account of the 
possibility of active attacks, in addition to passive 
eavesdropping attempts. In this case, an active enemy 
introduces himself into the data link between two 
subscribers. Such an attack can be identified only when 

15 authentication measures are used. (i n 

^ / xs. invention is based on the ©b7««4 — --of 

specifying a method ^^»ftg- which it is possible to 

A 

authenticate the key devices involved in data 
interchange . 

This bbject is achieved according to the 
invention by t{ie features specified in patent claim 1. 

The invention will be described ^ in the 
following text with reference to an %-xemp JLar y 
embodimen"^. The^ following abbreviations are used in the 

25 description: 

A 

E Encryption 
D Decryption 
A, B, X Subscribers 
AD Administrator 
30 p Public key 

s Secret key 

pAD Signature key, corresponds to the public key 

p of the administrator AD 
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Z Certificate, corresponds to the public key p, 

to the name and further details of a 
subscriber X 

S Signature 

S(Z) Signature of the certificate Z 

The^ invention is based on a cryptomethod in 
which all the encryption devices are equipped with a 
joint public key. This public key pAD is allocated by a 
trustworthy entity, a so-called administrator AD. In 
principle, this allows any device to communicate with 

<aTty o the ^ESu —with fe-he devrces i-^wo-l-v-ed ^bedrM-i- 

authenticated. 



Each key device is individuallv assigned a 
certificate Z m a manner known ^^e r — s o-, in practice in 

the form of a name for ^feteis^ device. In addition, when 

A 

using the public key system, the certificate Z contains 
the public key pX for the subscriber or user X. 

According to the invention, user groups are 

A 

formed whose devices are equipped with a joint, 

group-specific signature key pAD. This signature key 

pAD is the public key pAD of the administrator AD.* It 

may be stored in the device itself^ or may be in the 

form of other storage means/-— £er — Q xam pjre on a smart 

card. Oucn — a- user group> has a limited number of 

A A A 

subscribers. This limits the dissemination of the 

signature key pAD. 

The administrator AD can produce a signature 

S(Z(X))^ for a certificate Z (X) for a user X in a manner 

known p^T^^-s^. In this case, the certificate Z (X) is 

encrypted using the secret key sAD of the administrator 

^ S(Z(X)) = E (Z(X), SAD), 

A 
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This signature S(Z{X)) is likewise stored^ in fixed or 
mobile form^^^«i the key device of the user X. 

The "^secret key^^d^'the public key -sAD.,^ — sX — aad- 
^AD, pX^of the administrator AD and of the subscribers 
X are part of the public key system iJofe^n is 
implemented, for example, using the RSA algorithms. 

The group-specific signature key pAD and the 
subscriber-specific or device-specific signature 
S(Z(X)) are, for example, loaded in the key device on 
first initialization, in a - '^ -j no^no ^^ ^ of the invention. 
In addition, the associated certificate Z (X) is stored 
in the key device. These data may also be distributed 
to the appropriate subscriber on a smart card. Personal 
contact with the administrator AD, or at least a secure 
transmission channel to ^^K^m;'**^'xs required for these 
procedures. 

For secure communication^, a link is set up 
between the subscribers A and B,. ~sa^ between 

the associated key devices). The subscriber A transmits 
the certificate Z{A)^ and the signature S(Z(A)) to the 
subscriber ^B. The subscriber B can use the signature 
key pAD^^ fa ro^ — rs — t:© — Sjay the public key p of the 
administrator AdT) _to verify the authenticity of the 
certificate Z (A) ft,.— fetea-€_arS — te — sa y - the authenticity of 
the subscriber 

^■D1S-{^-{-A-)-)-T-^pAD)— =-^-E-('Z-(^^^ — 

The subscriber A checks the subscriber B in an 
analogous manner. 

Js^ potential attacker is external to the group, 
has no signature S assigned by the administrator AD, 
and can thus- not set up a link to any subscriber in 
this group. 
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In the event of theft, the corresponding devices are 
excluded from the user groupy so that they cannot be 
used by an attacker. To do this, in one possible 
refinement of the invention, a list of approved 
5 subscribers or key devices is stored in the key device. 
The identities of the possible key devices may be 
stored^ with an appropriate security question being 
integrated in the process of setting up a link. 



